GROWING THREATS CALL FOR MULTIPLE LAYERS OF DEFENSE AND SECURITY
VOLUME 98 | ISSUE 9 | SEPTEMBER 2019
“YET ANOTHER PIECE ABOUT CYBERCRIME AND FRAUD PREVENTION?” you ask. Chances are you’ve seen more than your share of stories and headlines recently about the threat cybercrime and fraud pose to the real estate industry. It’s a significant issue. Title agents are privy
to incredible amounts of sensitive information. As a result, they’re being targeted by fraudsters and cybercriminals. Maybe you think that, by now, you’re buttoned up against most of the threats.
Chances are that you’re wrong. And being wrong about cyber security could quickly put you out of business. So yes, this is indeed one more article about cyber security.
An All-you-can-eat Buffet of Threats
Cybercrime, fraud, malware—it all sometimes runs together
in our collective consciousness. They’re not all the same thing. There’s a veritable smorgasbord of threats targeting the average title agent today and the bad guys are tuning in to the wealth of private information agents control without adequate protection.
In fact, some of the threats don’t even come from the bad guys. Natural disaster, general hardware failures, software issues, and good old-fashioned human error can become a catastrophe for your employees and your clients. Then there are the malicious events: ransomware and other evolving kinds of malware, phishing, internal threats, social engineering and, of course, fraud. It’s great that many have taken steps to slow wire fraud or installed a state- of-the-art anti-virus program. But standing alone, they’re not nearly good enough. It takes a comprehensive effort.
Everyone Thinks They’re Prepared
Consider a few statistics. It probably doesn’t surprise you that SmallBizTrends.com reports that 43 percent of cyberattacks
target small business, but did you know that 60 percent of small companies impacted by a cyber attack go out of business within six months? Or that the average cost of recovery from small business data breaches is $36,000, according to Security Magazine?
Most leaders of small or mid-sized business believe they are prepared for the worst. In fact, prior to being victimized, 81 percent of organizations affected were confident that data backup would provide them with complete recovery, Barkly.com reported. Yet, only 42 percent of IT professionals successfully recovered their data after a ransomware attack, according to Barkly.com. So, what’s a title agency to do at a time when margins are compressed and IT budgets are somewhere between lean and non-existent?
Whether you run a Fortune 500 enterprise or a five-employee shop, nobody is 100-percent safe. Unfortunately, that’s just the reality of it. There are dozens of things you can do to further lock down your non-public personal information (NPI) that we don’t even have the space to include here. Nonetheless, the sheer number of potential threats to your business means that taking a multi-step, or layered, approach improves your odds exponentially. Let’s talk about the most important actions that you can take to protect your business and your data.
The first layer any small or mid-sized (or large) agent should consider falls under the heading of “prevention.” Let’s start with the obvious. As the threat of wire fraud grows, multi-factor authentication is quickly catching on. Many agencies now require a username, password and third identifier, such as a verification through text message or authentication app, to access company e-mail. But don’t forget that cyber security is not something
one can do once and for all. This needs to be a continuous and developing process in order to thwart increasingly sophisticated criminal efforts.
Email phishing testing—automated, randomized user testing— is an easy way to keep your team alert and prepared for when the real criminals are lurking behind the keyboard. By sending non- lethal phishing emails to your employees and measuring who clicks on them and how often, you can know where to focus your security training investment.
Security awareness training on a continuous basis is necessary to reduce your risk. A business can employ millions of dollars of sophisticated hardware and programming to curb risk, yet still be vulnerable if the people handling your data daily don’t recognize the threats that make it through your defenses. People are your greatest asset—and liability—when it comes to spotting and assessing threats. Provide them with quality training from white- hat security professionals so that they know what to look for and what to do in order to serve their role and keep your company safe.
The second category of layers in a well-positioned cyber defense is protection. Again, most agents already have some of these elements in place. Anti-spam filtering is an absolute necessity today, so don’t leave home without it. Business-grade network firewalls and locked-down Wi-Fi systems are other staples that any qualified IT professional or consultant should have in place. Don’t rely on the big box store down the street to take care of the security of your network—their liability for your security ends when you walk out the door. If your client can connect to your server from the Wi-Fi in your parking lot, then so can the hackers.
Consider also using GeoBlocking, which utilizes a global IP address database to identify and block traffic based on geographic location. This can reduce threat exposure from proven, high-risk areas such as China, Russia or Africa. Also, a thoroughly layered defense should include DNS filtering. This blocks categories of websites which have been identified as security risks based on their domain name before they can even reach the internal network.
The final layer of a solid cyber defense is one that’s critical in the moments after a fraud or attack has taken place. Unfortunately,
that’s something that too many victims are forced to improvise. In some ways, your agency’s response layer is as much prevention and preparation as it is reaction. If you don’t have a plan and protocols in place for each of the threats we’ve mentioned, you’re already two steps behind if you are the victim of a fraud or cyber attack.
The two best ways to prepare for an event that can’t be or hasn’t been prevented are having a disaster recovery solution and a rock- solid data backup policy. In the case of a disaster that prevents your major IT systems from functioning, you’ll need to have a plan that includes systems available for you to recover to. Remember, not all disasters are easy to plan for. Disasters can be caused by tornadoes, hurricanes or a broken water pipe above the server. However, the unseen threats like ransomware, software malfunction and data corruption can cause just as much damage to your business.
Data backups are almost as important today as having a good escrow mechanism or even having clients. It’s data that cyber criminals are most often after, and data which allows you to serve your clients. A good backup plan envisions backups of critical data that are taken both onsite and offsite so that there are three copies of the data available in at least two physical locations. Thus, if your data gets deleted by an employee or corrupted by a malware, it can be recovered.
When it comes to disaster recovery, the principle of people- as-assets again comes into play. Good communication is crucial in the moments after an attack or disaster occurs. Solid and updated security protocols ensure your team isn’t “winging it” in the critical early minutes and hours after a cyber event. And
continuous improvement applies as much to your recovery plans as any other layer. As our industry grows more sophisticated, so too do the criminals and the ways your data can be compromised. It’s imperative that you not only make the initial investment in cyber security, but that you account for regular monitoring, updates, and education as well.
Again, all of what we’ve just discussed is just a starting point. There are easily another dozen things or more that you can do to reduce your risk against cybercrime, fraud and data disasters. For example, consider hiring professionals (whether in-house or not) who can align you with the best-in-class standard for data security, SOC2 Type 2. Understand that no defense is perfect, but that the risk of not having a multi-layered plan greatly outweighs the cost of preparation. Your data, and your clients’ data, is now the lifeblood of your business. The threats are growing more sophisticated by the day. So, we ask again, are you truly prepared?
By Shawn Fox and Kevin Nincehelser